[Snort-users] RE: Compaq Insight alert

Buckley, Robert (CAP, VFS, Consultant) Robert.Buckley2 at ...249...
Fri Aug 4 07:21:58 EDT 2000

The Compaq insight manager is a web based Compaq management system.
The double dot bug is present, and it is known by Compaq and bug reporters.

The scenario:

You've installed the insight manager to C:\Compaq\Insight

http:\\www.vulernablehost.com:2301/../../winnt/repair/sam._ ...

and the file starts downloading.

Another words, if an attacker knows the path where insight has been
installed (guessed easily by default installs)
he/she may download any file providing they know the exact path and file
So if your seeing this in your snort report, wait.. let me rephrase....
Even if you dont see an attempt on 2301 TCP... turn it off or get it fixed.

PS: If you call Compaq, the tech will scratch his head and push you to Teir
      Tier 2 will scratch their heads and tell you to upgrade all your
systems that run Insight.
PSS: Ive done the upgrade Compaq support suggested. It didnt work. I turned
off all the Compaq Insight Manager services.

More information about the Snort-users mailing list